b'                                                                        OIG Report No. 09-14\n\n\n           Evaluation of NARA\'s FY 2008 Management Control Program\n\nExecutive Summary\n\nThe Federal Managers\' Financial Integrity Act (FMFIA) of 1982 (Public Law 97-255)\nrequires ongoing evaluations and reports of the adequacy of internal accounting and\nadministrative control of each executive agency. The Act requires the head of each\nagency to annually prepare a statement on the adequacy ofthe agency\'s systems of\ninternal accounting and administrative control. Office of Management and Budget\n(OMB) Circular A-123 (Revised), Management\'s Responsibility for Internal Control,\ncontains guidance for implementing FMFIA. OMB A-123 requires management to\nannually report on internal control in its Performance and Accountability Report (PAR),\nincluding a report on identified material weaknesses and corrective actions. It also\nprovides that the agency head, in preparing the annual assurance statement, should\nconsider input from the Office ofInspector General.\n\nAnnually, the OIG performs a review to ensure agency managers continuously monitor\nand improve the effectiveness of internal controls associated with their programs. This\ncontinuous monitoring in conjunction with other periodic evaluations provides the basis\nfor the agency head\'s annual assessment of, and report on, internal controls as required\nbyFMFIA.\n\nOur initial assessment of the agency\'s FY 2008 assurance statement, as conveyed in our\nOctober 31, 2008 memorandum (See Attachment A), was that the statement was\ninaccurate and underreported material risk associated with NARA\'s Preservation and\nProcessing programs. This is the same conclusion we reached and conveyed to the\nagency in our assessment oftheir FY 2007 assurance statement.\n\nSubsequently, we reviewed the open recommendations from last years audit report and\nfound that management has not yet taken completed action to close the recommendations.\nThe three recommendations contained in the FY 2007 report were for the Policy and\nPlanning Staff (NPOL) to work with NARA offices and management control liaisons to\n(1) stress the importance of performing internal control assessments in accordance with \n\nmanagement control plans; \n\n(2) ensure the results of the assessments are included in the assurance statements, and; \n\n(3) revise, as necessary, the lists of "critical functions" to be reviewed. \n\nThe result is NARA continues to exhibit weaknesses in internal controls first identified in \n\nFY 2007 that degrade the effectiveness of internal controls and the accuracy of office \n\nassurance statements. \n\n\nWe also performed a detailed review of assurance statements for the five major program\noffices (e.g. NA, NH, NL, NR, and NW) and found (1) one program office was not\nreviewing the results of security self assessments and (2) one program office did not\ninclude all relevant program review findings in their assurance statement.\n\n\n\n\n                      National Archives and Records Administration                         1\n\x0c                                                                         OIG Report No. 09-14\n\n\nOur review also revealed Office of Administrative Services (NA) sub offices improved\ntheir evaluation, reporting, and documenting of internal control testing from the previous\nyear. Specifically, NA sub-offices included the results of internal control testing in their\nassurance statements and were able to produce adequate documentation to support such\nreviews took place in accordance with guidance established in NARA 114, Management\nControls.\n\nWe are making three recommendations which we believe, once implemented, will\nstrengthen weaknesses cited in this review.\n\nBackground\n\nThe Federal Managers\' Financial Integrity Act (FMFIA), Public Law 97-255, requires\neach agency to establish controls that reasonably ensure: (1) obligations and costs comply\nwith applicable law, (2) assets are safeguarded against waste, loss, unauthorized use or\nmisappropriation, and (3) revenues and expenditures are properly recorded and accounted\nfor. In addition, the agency head must annually evaluate and report on the systems of\ninternal accounting and administrative control.\n\nThe Office of Management and Budget (OMB) Circular A-123, Management\'s\nResponsibility for Internal Control, defines management\'s responsibility for internal\ncontrol in Federal agencies. It provides guidance to Federal managers on improving the\naccountability and effectiveness of Federal programs and operations by establishing,\nassessing, correcting, and reporting on internal control. OMB revised Circular A-123 in\nresponse to the Sarbanes-Oxley Act, effective in fiscal year 2006. This revision\nstrengthened the requirements for management\'s assessment of internal control over\nfinancial reporting. The new requirements apply only to the 24 Chief Financial Officer\nAct agencies, thus exempting NARA from performing an A-127 review and reporting\npursuant to Section 4 of the FMFIA. However, NARA is still required to report on\ninternal controls pursuant to Section 2 ofFMFIA.\n\nNARA issued Directive 114, Management Controls, to help managers implement the\nrequirements ofOMB A-123. NARA 114 defines responsibilities; defines the types of\nreviews that could be considered internal control assessments; identifies documentation\nthat must be maintained in support of an internal control evaluation, and; addresses the\ndevelopment and maintenance of management control plans. Among the responsibilities\ndefined by this guidance, Office Heads are required to identify and analyze risk and the\nPolicy and Planning Staff (NPOL) are required to provide oversight, guidance, and\nassistance to NARA offices concerning implementation of the NARA internal control\nprogram.\n\nAssurance statements and information relating to FMFIA Section 2, Section 4 (from\nwhich NARA is exempt), and internal control over financial reporting should be provided\nin a single FMFIA report section of the annual Performance and Accountability Report\n(PAR) labeled "Management Assurances." The section should include the annual\nassurance statement, summary of material weaknesses and non-conformances, and\n\n\n\n                       National Archives and Records Administration                            2\n\x0c                                                                        OIG Report No. 09-14\n\n\nsummary of corrective action plans. Furthermore, FMFIA requires the Archivist to\nannually submit to the President and Congress (1) a statement on whether there is\nreasonable assurance that the agency\'s controls are achieving their intended objectives;\nand (2) a report on material weaknesses in the agency\'s controls.\n\nObjectives, Scope, and Methodology\n\nThe purpose of our evaluation was to determine the extent to which there is sufficient\nevidence NARA complied with the requirements of the FMFIA, OMB Circular\nA-123, and NARA 114, to support the Archivist\'s fiscal year 2008 assurance statement.\nSpecifically, our objectives were to (1) assess whether management is continually and\nconsistently reviewing critical areas, and (2) verify the accuracy of information contained\nin management\'s assurance statements to the Archivist.\n\nTo accomplish our objective, we examined the assurance statements and related internal\ncontrol evaluation documents submitted by NARA office heads, reviewed additional\nsupporting documentation maintained by the offices, and met with management control\nliaisons and other management officials. We performed a detailed review of the\nassurance statements and management control plans for the five major program offices\n(e.g. NA, NH, NL, NR, and NW). We also performed a desk audit of the staff offices.\nFinally, we reviewed the controls associated with classified security self inspections.\nSpecifically, we\n     \xe2\x80\xa2 \t reviewed management\'s evaluation of controls in accordance with each office\'s\n         Management Control Plan for FY 2008 and agency guidance concerning the\n         conduct of such evaluations;\n     \xe2\x80\xa2 \t reviewed files related to the preparation of assurance statements to ensure they\n         provided appropriate support for management statements;\n     \xe2\x80\xa2 \t reviewed sub-office (e.g. NAF, NAR, NAS, etc.) assurance statements to\n         determine if the next higher level of management was performing a sufficient\n         review of information passed up to them;\n     \xe2\x80\xa2 \t reviewed the status of recommendations made in prior year reports, and;\n     \xe2\x80\xa2 \t reviewed compliance with the annual classified information security self\xc2\xad\n\n         inspection. \n\n\nTo facilitate the submission ofNARA\'s annual assurance statement we performed a\npreliminary review of the agency assurance statement in October 2008.\n\nThis audit was conducted in accordance with generally accepted government auditing\nstandards (GAGAS) between October 2008 and May 2009. These standards require we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\n                      National Archives and Records Administration                          3\n\x0c                                                                           OIG Report No. 09-14\n\n\n\n\nPrior Year Audit Recommendations Remain Open\n\nOur review found recommendations for corrective action contained in our FY 2007\nassurance statement audit have not been implemented. In our FY 2007 audit l we\nrecommended the Policy and Planning Staff (NPOL) work with offices in general, and\nmanagement control liaisons in particular, to\n    \xe2\x80\xa2 \t stress the importance of performing internal control assessments of critical areas\n        in accordance with management control plans and NARA 114;\n    \xe2\x80\xa2 \t ensure the results of the assessments are included in the assurance statements,\n        and;\n    \xe2\x80\xa2 \t revise, as necessary, the lists of "critical functions" to be reviewed.\n\nThese recommendations were aimed at both addressing non-compliance with provisions\nofNARA 114 and OMB A-123 and modifying existing management control plans which\ntoo narrowly defined/identified "critical functions" to allow for proper testing and\nevaluation of controls. As noted in the report, the majority of problems were associated\nwith the smaller staff offices.\n\nAs we began our review of the staff office assurance statements we identified many of\nthe same weaknesses noted in FY 2007. Notably, "critical functions" had not been\nrevised and continued to be narrowly identified (more analogous to work processes) and\nassurance statements did not include the results of internal control evaluations or\ndocumentation to support such evaluations. For example, one office\'s assurance\nstatement indicated an internal control assessment ofthe timeliness of complaint\nprocessing was to be evaluated in FY 2008, but included no further information on the\ntesting methodology employed or the results of the review. We discussed these\npreliminary results with the agency\'s management control liaison, who stated the\ncontinuation of previously identified weaknesses was not surprising, but would be\nremedied once management took action to address findings in the FY 2007 audit report.\nShe also stated that she had worked with NA and NA sub offices on improving their\ninternal control testing and reporting in FY 2008. As noted in the Executive Summary\nportion of this report, NA and its sub offices showed improved testing and reporting in\nFY2008.\n\nOMB Circular A-123 requires the agency and individual managers to take systematic and\nproactive measures to assess the adequacy of internal controls in Federal programs and\noperations, identify needed improvements, take corresponding corrective action, and\nreport annually on internal controls in order to be accountable for their area of control.\nNARA Directive 114 provides guidance for establishing, assessing, correcting, and\nreporting on internal controls. Both documents convey the elements necessary for\nconducting and documenting sufficient internal control reviews.\n\n\n\n1 OIG Audit Report No. 08-06, Evaluation ofNARA\'s FY 2007 Management Control Program (March 7,\n2008)\n\n\n                       National Archives and Records Administration                              4\n\x0c                                                                                 OIG Report No. 09-14\n\n\nFailing to consistently review critical areas/programs weakens management\naccountability and decreases the likelihood problems will be identified and program risks\nminimized. Furthermore, it promotes a false sense of assurance about the level of\nprogram or function oversight provided by management and could result in an agency\nassurance statement which inaccurately conveys risk.\n\nRecommendation 1. The Director of Policy and Planning should ensure\nrecommendations from OIG Report No. 08-06 are implemented and previously identified\nweaknesses are corrected. 2 Specifically, those recommendations require\n      a. NPOL stress to management the importance of performing internal control\n          assessments of their critical areas in accordance with their management\n          control plans. This includes ensuring reviews are documented in accordance\n          with NARA 114.6. Management control liaisons and upper managers should\n          be reminded of their responsibility for reviewing sub-office and sub-unit\n          assurance statements and ensuring internal control reviews are conducted and\n          documented.\n      b. NPOL revise NARA 114 to require the results of internal control reviews,\n          conducted in accordance with each offices management control plan, be\n          included in each offices assurance statement.\n      c. The NARA management control liaison should work with the offices and\n          office management control liaisons to review, and revise as necessary, the\n          "critical functions" contained in the management control plans. The revision\n          to these plans should seek to identify and rank risks to major program and\n          functional areas and undertake internal control reviews of major risk areas.\n\nManagement Response\n\nManagement concurred with our recommendations.\n\n\n\nInternal Control Assessment Results are not Evaluated\n\nWe found the results of Information Security Self Inspections were not reviewed or\nevaluated by the Information Security Officer. Specifically, we found responsible units\nare completing the self-evaluation checklists and forwarding them to the Information\nSecurity Officer, however, no further action was taken. Reviewing the results of internal\ncontrol assessments, including identification of deficiencies and the formulation and\nmonitoring of corrective action, is a critical component of internal control monitoring and\ntesting. Without "closing the loop" on this internal control process NARA cannot be\nassured that weaknesses are identified and properly mitigated.\n\nNARA 2008-258, Annual Information Security Self-Inspection, requires all Information\nSecurity Program Managers (lSPMs) conduct an annual self inspection of areas under\n\n2 Because the recommendations from OIG Audit Report No. 08-06, Evaluation ofNARA\'s FY 2007\nInternal Control Program, are carried forward to this audit, OIG Report No. 08-06 can be closed.\n\n\n                         National Archives and Records Administration                               5\n\x0c                                                                       OIG Report No. 09-14\n\n\ntheir cognizance in accordance with NARA 202, NARA Classified Infonnation Security\nProgram. The self-inspection consists of an eight page self evaluation guide to be\ncompleted by ISPMs and provided to the Infonnation Security Officer. Any items found\nto be non-compliant must be corrected immediately or tracked through monthly status\nreports.\n\nWe sampled the self-inspection results for six ISPMs and were provided with completed\nself-inspection checklists for all six. When we asked the Infonnation Security Officer for\nthe results of his review of the self-evaluations we were infonned no reviews were\nconducted and the evaluations were placed in file for future reference. In addition to the\nreview and evaluation requirements contained in NARA 2008-258, NARA\'s internal\ncontrol guidance requires evaluation of self-assessments by a knowledgeable party. The\nevaluation must include an evaluation of the results, written notice of concurrence or\ndisagreement, and any recommended corrective actions. While there are not currently\nany controls concerning the review and analysis of infonnation security self inspections,\nthe Infonnation Security Officer stated he intends to develop procedures for the review of\ninfonnation security self assessments, including provisions for identifying instances of\nnon-compliance and tracking corrective actions and estimated this would be completed\nby October 2009.\n\nAs a result of deficiencies in controls over infonnation security self-assessments NARA\nlacks assurance infonnation security weaknesses are appropriately identified, reported,\nand resolved and could result in underreporting of risk in the agency assurance statement.\n\nRecommendation 2. The Assistant Archivist for Administrative Services should ensure\nAnnual Infonnation Security SelfInspection results are reviewed in a timely manner,\ninstances of non-compliance are identified, and corrective actions are monitored; and self\ninspections are reviewed and documented in accordance with guidance concerning self\xc2\xad\nassessments contained in NARA 114. If a fonnal process as referred to by the\nInfonnation Security Officer cannot be completed in time to facilitate the review ofFY\n2009 infonnation security self inspections an alternate means of reviewing the checklists\nshould be developed.\n\nManagement Response\n\nManagement concurred with our recommendation.\n\n\n\n"Significant" Findings Need to be Better Defined in NARA Internal Control Policy\n\nOur review revealed one program office excluded from their assurance statement over\n85% of findings identified through program reviews. While NARA\'s internal control\nguidance (e.g. NARA 114) allows agency management to detennine whether findings are\nsignificant enough to report to the Archivist, it does not provide criteria on which such\ndecisions are based or requirements for documenting and supporting such decisions. As a\n\n\n\n                      National Archives and Records Administration                        6\n\x0c                                                                         OIG Report No. 09-14\n\n\nresult such decisions can appear "ad hoc" and adversely impact the consistency ofthe\nreporting process.\n\nIn FY 2008, the Office of Regional Records Services (NR), a major program office, had\n51 findings related to program reviews. Ofthese, seven were classified by the office\nhead as major/significant and included in the assurance statement to the Archivist. The\nremaining 44 findings were considered to be minor and not transmitted to the Archivist\nvia assurance statement. We reviewed these 44 findings and identified three that we\nbelieve are major:\n    \xe2\x80\xa2 \t A finding that there are no internal controls in place to prevent unauthorized use\n        or theft of GSA fleet vehicles;\n    \xe2\x80\xa2 \t A lack of separation of duties between ordering and receiving accountable \n\n        property, and; \n\n    \xe2\x80\xa2 \t Inconsistencies in NARS-5 data that could result in premature disposals and\n        improper customer billing.\n\nWe asked NR for information supporting their conclusion to categorize these three\nfindings as minor in an effort to better understand their decision process and criteria used\nin evaluating findings. NR management responded that based on deliberation and\ndiscussion of these issues at the completion of the program review it was determined they\nwere minor because no actual adverse impacts were observed or identified during the\nprogram review and the resolution of identified deficiencies required very little time or\nresources. The absence of detected or observed adverse impacts is not sufficient reason\nto classify a finding as minor. The goal of internal controls is to prevent or detect adverse\nimpacts and the point of monitoring and testing is to identify the absence of internal\ncontrols; internal controls which are not properly functioning, or; internal controls which\nare not properly designed. The absence of guidance detailing the process which should\nbe used in evaluating findings; the criteria which should be applied, and; the information\nwhich should be maintained to support such a decision has resulted in an uneven\napproach to evaluating findings and their relative importance and adversely impacts the\nconsistency of office assurance statements.\n\nAdditionally, NR does not formally track corrective action for minor findings. This\nmeans in FY 2008 corrective action for over 85% of the program review findings was not\nformally tracked. An important element in effective internal control monitoring/testing is\nensuring deficiencies are evaluated and corrected in a timely manner. This helps ensure\ncontrols aimed at mitigating risks are in place and properly functioning. During the\nconduct of our audit we discussed with the NR management control liaison our concern\nthat such a large number of the program findings were not formally tracked to resolution.\nThe NR management control liaison responded NR was considering requiring regions to\nreport on all program review findings until such time as they are effectively closed.\n\n\n\n\n                       National Archives and Records Administration                          7\n\x0c                                                                                       Attachment B\n                     National Archives and Records Administration\n                                                                                      8601 Adelphi Road\n                                                                     College Park, Maryland 20740-6001\n\n\nDate:         AUG 2 6 2009\nTo:          OIG\n\nFrom:        NPOL, NA, and NR\n\nSubject:     OIG Draft Audit 09-14, Audit ofNARA\'s FY 2008 Management Control Program\n\n\n             Thank you for the opportunity to comment on this draft audit report. This memorandum\n             represents the combined comments of these offices to the draft report dated July 28,2009.\n\n             We concur with recommendations 1 and 3, and will offer more detail in our action plan\n             following release of the final report. We concur with the intent of recommendations 2 and 4,\n             but may need to make adjustments as we devise an action plan to address the findings while\n             not further straining available resources.\n\n             If you have questions about these comments, please contact Mary Drak at 301-837-1668 or by\n             email at mary.drak@nara.gov.\n\n           fj~{Y7~\n        ~\t SUSAN M. ASHTIANIE \n\n           Director, \n\n           Policy and Planning Staff \n\n\x0c                                                                      OIG Report No. 09-14\n\n\nRecommendation 3. The Archivist should ensure NARA policy on internal controls\n(such as NARA 114) is revised to specifically address the process by which findings are\nevaluated and categorized; criteria used in the decision making process, and;\ndocumentation necessary to support such conclusions.\n\nManagement Response\n\nManagement concurred with our recommendation.\n\nRecommendation 4. The Assistant Archivist for Regional Records Services should\nensure all program findings, regardless of whether they are considered major or minor,\nare tracked to resolution and supported by adequate documentation.\n\nManagement Response\n\nManagement concurred with our recommendation.\n\n\n\n\n                      National Archives and Records Administration                        8\n\x0c'